
Feb 04 03 02:07p SVJ^p 408^^1 4GG0 p. 9 

libit A 

Intelligence to Right-price IP Services Q £ " 

xaccT 

To: Limor, Anil, Willie, Eran, Eric 

Subject: IP Accounting Under Attack - Let's Patent it - NOW! 

CC: Yuval, Ori, Gil H 
From: Tal Givoly 
Date: August 17, 1999 

Overview , v v . . ^ u . 

This memo is to prepare for the meeting we have on Monday. I realize this may be a bat late, but I 
hope you have time, at least, to go over this once during the weekend so we can discuss it further 
when we meet. 

Agenda 

Discuss patents already in the pipe: 

• IP Mediation 

• Session Reconstruction 

Questions: 

What is the actual filing date? 
When will they be granted? 

How's it going with the filing in England? When is this done? 

List of potential patents (more details on each, below): 

• IP Accounting Under Attack 
Distributed session reconstruction (can be an extension to Session Reconstruction, above) 
A library providing provisioning of accounting element, aggregation, filtering, at the 

network/service element 

• Distributed drill-down into distributed databases 

Questions: 

What's worth moving forward on? 

What's the next steps? Where should we patent? What can be done to accelerate? 

IP Accounting Under Attack 

This section presents an idea, which if patented, can potentially prevent any other mediatiorVbillrng 
solution from entering the IP billing mediation space. 

The Problem . 

We discovered at several customers (Navy, Harvard, Xpert) that when a network is under 
a hostile attack (an attempt to break in), a huge surge occurs in the amount of accounting 
information (not network traffic) that is generated by devices. 

For instance, if a computer on the network attempts a syn or fin attack on a network, it 
will scan all ports. There are 65,536 ports to scan, and all this takes place over a very 
short period of time, typically several seconds. The amount of network traffic that this 
represents is usually negligible (as the packets are of minimal size), but the amount of 
accounting data created is large. For instance, it would create 65,536 log entries in a ^ 
Srewall log, or 1 3 1 ,072 NetFlow flows, for each host that it attempts to attack. If a ping 
attack is used, then all the IPs are scanned in a similar fashion. 

The Solution 

The idea is that since this represents a serious problem for the mediation or billing system 
to cope with, it should be classified on ingress point to the mediation solution and a single 
record characterizing the attack should be produced. For instance: 
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A <type of attack* attack from <host> started at <start> lasted <duratio n > seconds 
and scanned through <IP range> and <Port range>. 

This record could easily aggregate hundreds of thousands of Neff low flows or records 
from a firewall log into a single record. Without this, the mediation/billing could easily 
overflow causing loss of data. 

Compared to Telephony 

This problem does not exist, to this degree, in the telephony world. There are 
cases in which there is a surge in the use of telephones, e.g. public gatherings, 
but it isn't in the order of magnitude that can be generated by an automated 
mechanism, such as a computer program. In telephony, this feature is called 
"mass call detection" and has nothing to do with automated, methodical, attack. 

So it makes perfect sense to patent this technology and incorporate into our 
product in the ISMs that this may affect (NetFlow, FWs, RMON, etc.). Every 
mediation/billing vendor will essentially NEED to implement a mechanism 
similar to this. The fact that we will patent many ways to detect this and protect 
the mediation/billing will allow us to prevent them from infringing on our 
patents and make it impossible to use competing solutions. 

A Side Effect , J . . 

A side-effect advantage is that this also creates an attack-detectionAvarmng 
mechanism built into those ISMs that employ this technology. The ISMs could 
create some trap sent to an NMS to handle the attack. 
The Technical Detail ur.^n^ 
Below is a list of techniques that we will patent as being used to identify attacks 
from accounting data. More can be added, of course, to make this as complete as 
possible and to prevent competition from suggesting a viable solution without 
infringing on our patent. 

Detect port scan, either up or down. Be careful not to tagger a false 
alarm on OS-randomly-assigned source ports. 
• Detect IP scan. 

Detect a surge in accounting traffic rate in ingress. In this case, count 
and discard records above a threshold. The attack is by the mere suggestion that 
this is not reflective of normal usage patterns. 

Conclusion J 

We need to patent this technology today, implement it tomorrow and announce it the next 
day. This could be a very important competitive advantage in light of the emerging 
competitive scenarios we're about to face. 

Distributed Session Reconstruction 

The Problem L 

When performing session reconstruction in order to identify the attnbutes of the higher 
layers of the protocol stack (usually, layer 7 - application layer) it is imperatave to 
capture all the packets in a given session. The control channels (containing the various 
negotiations and attributes) are particularly sensitive to loss in data captured For 
exfrrW, if the negotiation specifying on which a port an FTP will transfer the data ts not 
captured and analyzed, the bulk of the FTP transfer will not be captured and 
reconstructed. Usage data recorded will be inaccurate or, at least, unidentified to the 

TOs°type of problem occurs more frequently as networks become switched, and 
interconnect between POPs (Points of Present) of a service provider and between service 
providers become more meshed and redundant. The redundancy is used during normal 
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use as load-balancing. Two or more links carry potency th 
Regarding which physical link to traverse depends on the actual loadjhis ypeof 
dvnarnic load balancing causes a single session, perhaps, to be present on different 
pSS or togical corLmication channels. Performing session ."""T^* as 
SSe^Lding of packets from one channel may miss peronent mformation, as 
mentioned above. 

Ttl l sfng^uter process that would capture all the data would -Ive this problem. As 
ttuSnot Sble due to the distributed nature of the If the amount of data wa 

Conclusion 
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